CVE-2025-13053

HIGH7.0

A missing encryption of sensitive data vulnerability was found in the UPS settings of ADM

Published Dec 12, 2025

Modified 1 months ago

No fix available

Details

When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation.

This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.

References

ADVISORYhttps://www.asustor.com/security/security_advisory_detail?id=49 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-13053

CVSS Analysis

CVSS v4.0

7.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

PresentAT:P

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

LowVC:L

Vuln. Integrity

NoneVI:N

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

HighSC:H

Subseq. Integrity

HighSI:H

Subseq. Availability

LowSA:L

7/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:L

Weakness Type (CWE)

Other

CWE-311

Ecosystems

Timeline

PublishedDec 12, 2025

ModifiedDec 12, 2025

CVE-2025-13053 | Mondoo Vulnerability Intelligence